Agencies yet to 'crack the code' on mobile management, security

By William Jackson

Sep 26, 2012

Mobility is not just the current IT buzzword, it also is seen as the key for unlocking greater productivity in the government workforce.

Government has embraced the secure, enterprise-focused BlackBerry phone and e-mail device, but workers are growing frustrated with the lack of choice as Apple and Android smart phones evolve rapidly in the commercial marketplace.

Agencies are beginning to adapt. Both the Nuclear Regulatory Commission and the Bureau of Alcohol, Tobacco, Firearms and Explosives are planning to launch limited bring-your-own-device (BYOD) programs this year, and the Defense Department has pilot programs for using Android and iOS phones and tablets.

The stumbling block is how to securely manage these mobile devices and the data on them.

“We haven’t cracked the code on mobile device management,” said DOD Deputy CIO Dave DeVries at a recent conference on telework and mobility.

“We don’t have the skill set today,” said NRC Acting Deputy CIO Mary Givinnes at the same conference.

One tool that could help mobile management is enterprise provisioning of services, which can simplify the task of managing devices by providing a single point of contact and management for mobile and other remote users. Government’s cloud-first and data center consolidation policies can be a step toward this solution, government officials said.

When the Army migrated to the Defense Information Systems Agency as its e-mail provider, DISA also became the service’s mobile provider, said Army Deputy CIO Michael Krieger. “We now know exactly how many devices we have, and we can see them all,” because they are all coming in through DISA’s private cloud, he said.

Agencies are not considering the indiscriminate use of private devices and the comingling of personal and government data, however. The key to expanding mobility is the ability to separate data from the device through the use of thin or zero clients, or the segregation and encryption of data.

DISA is experimenting with zero clients, devices that go a step farther than thin clients by not hosting their own operating systems, said Krieger. And industry is developing integrated sandboxes that can keep data segregated across laptop, smart-phone and tablet platforms.

The officials spoke Sept. 25 at the Telework Exchange’s semiannual Town Hall Meeting in Washington, which focused on the promises and challenges of mobility as an enabler for teleworking. Government has a policy of promoting telework among its employees, and the Telework Enhancement Act of 2010 requires agencies to put telework plans into place and identify those workers who are eligible to work outside the traditional office.

But the pace of technological change has been a barrier to effective teleworking, speakers said. The traditional wired desktop is rapidly being supplanted by laptops and by even more mobile smart phones and tablet computers.

When the ATF -- where about 90 percent of 7,000 employees work outside of offices -- did a desktop refresh three years ago, the traditional platform was abandoned, said Walter Bigelow of ATF’s IT systems management division. “If you had a heartbeat, you got a laptop” with a wireless card, he said. Now, the bureau is moving away from its BlackBerry devices to try more flexible iOS phones and tablets, he said. The bureau now fields about 6,000 laptops, 1,400 BlackBerrys, about 1,400 iPhones and about 300 iPads.

The DOD is moving in the same direction, DeVries said. It still uses BlackBerry for its mobile devices, but has pilots using about 5,000 iOS devices and about 3,000 Androids. Adapting to this new environment is difficult, however. DOD is large and changes course slowly, while Apple has released a new iOS version every year for five years, DeVries said. “How can I keep pace with that?”

One of the reasons Research in Motion’s BlackBerry has been popular with government is that it is inherently more secure, Krieger said. “BlackBerry really isn’t on the Internet,” but resides in the enterprise, where management and security can be more effectively provided.

Consumer devices rely directly on the Internet, which is a scary place. Gregory Wilshusen, director of information assurance issues for the Government Accountability Office, examined the mobile threat environment in a recent report and found -- not surprisingly -- that the threats are numerous, various and growing.

“The malicious software that affects these types of devices is expanding rapidly,” he said at the conference. “Fortunately, there are a number of controls that are a help,” such as enabling passwords, firewall and cryptography. “It is incumbent upon organizations as well as individuals to use these controls.”

But other challenges remain. How to ensure that sensitive information is not improperly exposed on a personal device, for instance. And conversely, how to ensure that personal information is not threatened by government use of a device.

“We have spills” of information, Krieger said. When information is improperly sent in an e-mail, any device that has received it “gets wiped out and starts over.” Will users want to put their personal devices at risk of being wiped clean?

And with unlimited data plans becoming a thing of the past, will vendors offer dual data billing plans for personal devices, so that users are not charged for accessing work data?

Commercial technology exists or is being developed to enable the segregation and protection of different types of data on different platforms. But the challenge remains of finding a stable, scalable solution that can be applied not only across multiple vendor platforms but also across multiple device types, from laptops to tablets to smart phones. So far, agencies haven’t found what they’re looking for.

inside gcn

Reader Comments

Fri, Sep 28, 2012
Allan Marcus
Los Alamos

Until Apple can figure out a way to encrypt the whole device with FIPS certified protection, the US Government will have a hard time implementing iPhones and iPads in large numbers. Yes, the device has hardware based encryption, but as soon as you power on the device (even before password is entered), the device is decrypted. Only apps protected with Apple Data Protection (and Mail is the only one from Apple) have truly encrypted data. Third party apps like Good or SafeZone provide their own encryption, but they are limited solutions. There still is no way to edit an Office document in an encrypted sandbox (Quick Office had a way, but Google canceled that version of Quick Office).
Pretty much the same is true with COTS Android.
We want to use more of these kinds of products, but we need more security.
Allan Marcus
Chief IT Architect
LANL

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.